Platform
php
Component
chamilo-lms
Fixed in
1.11.39
CVE-2026-33708 affects Chamilo LMS versions 1.11.0 through 1.11.37. The vulnerability resides in the getuserinfofromusername REST API endpoint, which lacks proper authorization checks. This allows authenticated users to retrieve sensitive personal information, such as email addresses, first and last names, user IDs, and active status, of other users within the system. A patch is available in version 1.11.38.
CVE-2026-33708 in Chamilo LMS allows authenticated users, including students, to access sensitive personal information of other users. The getuserinfofromusername REST API endpoint lacks proper authorization checks, exposing data such as email address, first name, last name, user ID, and active status. This information leak can be leveraged for social engineering attacks, targeted phishing, or even user profiling within the educational platform. The lack of control over access to this information compromises user privacy and platform integrity. The CVSS severity is 6.5, indicating a moderate but significant risk.
An authenticated attacker, such as a student with a valid account in Chamilo LMS, can exploit this vulnerability by sending requests to the getuserinfofromusername API with the username of any other user. The API will respond with the complete personal information of the target user, without requiring additional credentials or elevated privileges. The ease of exploitation and potential impact on privacy make this vulnerability a significant concern for educational institutions using Chamilo LMS.
Exploit Status
EPSS
0.03% (10% percentile)
CISA SSVC
CVSS Vector
The solution to this vulnerability is to update Chamilo LMS to version 1.11.38 or higher. This version includes a fix that implements the necessary authorization in the getuserinfofromusername API, restricting access to user information only to those with appropriate permissions. It is recommended to apply this update immediately to mitigate the risk of data exposure. Additionally, review your platform's security policies and ensure users understand the importance of protecting their credentials and being cautious with information requests.
Update Chamilo LMS to version 1.11.38 or later to mitigate the exposure of sensitive personal information. This version includes an authorization check that prevents unauthorized users from accessing user information through the get_user_info_from_username REST API.
Vulnerability analysis and critical alerts directly to your inbox.
Chamilo LMS is an open-source learning management system (LMS) used by educational institutions to deliver online courses and manage student learning.
If you are using a version of Chamilo LMS prior to 1.11.38, you are likely affected. Verify the installed version on your system.
If you cannot update immediately, consider implementing additional security measures, such as restricting access to the API or monitoring network traffic for suspicious activity.
Currently, there are no specific tools to detect this vulnerability. Verification is performed through direct API testing.
You can find more information about this vulnerability in vulnerability databases such as the NIST NVD (National Vulnerability Database).
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.